Common ACL operations - configuring a packet filtering rule

Latest reply: Jul 25, 2016 09:45:19 6501 2 0 0

This post is about the common ACL operations - configuring a packet filtering rule. Please see below for details.


Configuring a Packet Filtering Rule for ICMP Protocol Packets Based on Source IP Address (Host Address) and Destination IP Address Segment

To allow the ICMP packets from a host that are destined for a network segment to pass, configure a rule in an ACL. For example, to allow the ICMP packets from host 192.168.1.3 that are destined for network segment 192.168.2.0/24 to pass, configure the following rule in ACL 3001.
 
 

Configuring a Packet Filtering Rule for TCP Protocol Packets Based on TCP Destination Port Number, Source IP Address (Host Address), and Destination IP Address Segment

  • To prohibit Telnet connections between the specified host and the hosts on a network segment, configure a rule in an advanced ACL. For example, to prohibit Telnet connections between host 192.168.1.3 and hosts on network segment 192.168.2.0/24, configure the following rule in the advanced ACL deny-telnet.
    
     
  • To prohibit the specified hosts from accessing web pages (HTTP is used to access web pages, and TCP port number is 80), configure rules in an advanced ACL. For example, to prohibit hosts 192.168.1.3 and 192.168.1.4 from accessing web pages, configure the following rules in ACL no-web and set the description for the ACL to Web access restrictions.
    
     
 
 

Configuring a Packet Filtering Rule for TCP Packets Based on the Source IP Address Segment and TCP Flags

To implement unidirectional access control on a network segment, configure rules in an ACL. For example, to implement unidirectional access control on network segment 192.168.2.0/24, configure the following rules in ACL 3002. In the following rules, the hosts on 192.168.2.0/24 can only respond to TCP handshake packets, but cannot send TCP handshake packets. Set the descriptions of the ACL rules to Allow the ACK TCP packets through, Allow the RST TCP packets through, and Do not Allow the other TCP packet through.

To meet the preceding requirement, configure two permit rules to allow the packets with the ACK or RST field being 1 from 192.168.2.0/24 to pass, and then configure a deny rule to reject other TCP packets from this network segment.
 
 

Configuring Packet Filtering Rules Based on the Source MAC Address, Destination MAC Address, and Layer 2 Protocol Types

  • To allow the ARP packets with the specified destination and source MAC addresses and Layer 2 protocol type to pass, configure a rule in a Layer 2 ACL. For example, to allow the ARP packets with destination MAC address 0000-0000-0001, source MAC address 0000-0000-0002, and Layer 2 protocol type 0x0806 to pass, configure the following rule in ACL 4001.
    
     
  • To reject the PPPoE packets with the specified Layer 2 protocol type, configure a rule in a Layer 2 ACL. To reject the PPPoE packets with Layer 2 protocol type 0x8863, configure the following rule in ACL 4001.
    
     
 
 

Configuring a Packet Filtering Rule Based on the Source MAC Address Segment and Inner VLAN IDs

To reject the packets from the specified MAC address segments in a VLAN, configure a rule in a Layer 2 ACL. For example, to reject the packets from source MAC address segment 00e0-fc01-0000 to 00e0-fc01-ffff in VLAN 10, configure the following rule in Layer 2 ACL deny-vlan10-mac.
 
 

Configuring Packet Filtering Rules Based on Layer 2 Headers, Offsets, Character String Masks, and User-Defined Character Strings

  • To reject the ARP packets from the specified host, configure a rule in a user-defined ACL. For example, to reject the ARP packets from host 192.168.0.2, configure the following rule in ACL 5001.

    In the following rule:
    • 0x00000806 indicates the ARP protocol.
    • 0x0000ffff is the character string mask.
    • 10 indicates the protocol type field offset in the ARP packets (without VLAN ID).
    • c0a80002 is the hexadecimal format of 192.168.0.2.
    • 26 and 30 respectively indicate the offsets of the higher and lower two bytes in the source IP addresses in ARP packets (without VLAN ID). The source IP address in an ARP packet begins at the 28th byte in Layer 2 header and occupies 4 bytes. The Layer 2 header offset defined in a user-defined ACL must be 4n+2 (n is an integer). Therefore, the source IP address is divided into two segments for matching. The lower two bytes among the four bytes behind offset 26 (4 x 6 + 2) and the higher two bytes among the four bytes behind offset 30 (4 x 7 + 2) are matched separately.
    To filter ARP packets with VLAN IDs, add 4 to each of the following offsets.
    Figure 1 Source IP address field offset in Layer 2 header of an ARP packet
    fig_dc_cfg_acl_104201.png
    
     
    icon-note.gif NOTE:

    The user ACLs configured on S2750, S5710-C-LI, S5710-X-LI, S5700LI, and S5700S-LI do not support this configuration, and can match only character strings.

  • To reject all TCP packets, configure a rule in user-defined ACL deny-tcp.

    In the following rule:
    • 0x00060000 indicates the TCP protocol.
    • 8 indicates the protocol type offset in the IP packets. (The protocol type field in an IP packet begins at the 10th byte in IPv4 header and occupies one byte. The IPv4 header offset defined in a user-defined ACL must be 4n (n is an integer). Therefore, the second higher byte among the four bytes behind offset 8 in the IPv4 header is matched.)
    
     
    Figure 2 TCP protocol field offset in IPv4 header
    fig_dc_cfg_acl_104202.png
 
 
 

Related Information

Support Community

 
 
 
  • x
  • convention:

user_2790689
Created Jul 15, 2016 03:56:27 Helpful(0) Helpful(0)

Common ACL Operations:Configuring a Packet Filtering Rule

Thank you
  • x
  • convention:

user_1763575
Created Jul 21, 2016 07:58:10 Helpful(0) Helpful(0)

Common ACL Operations:Configuring a Packet Filtering Rule

Thank you
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login